Researchers have found yet another CPU feature that can be abused to leak potentially sensitive data, but this time with a twist: The attacker doesn’t need to have local access on the targeted machine because the attack works over the network.

The culprit is Intel’s Data Direct I/O (DDIO) technology, which gives peripheral devices such as network cards direct access to the processor’s internal cache to achieve better performance, less power consumption, and higher data throughput. Before DDIO, these devices exchanged data with the CPU through RAM, whose latency can be a bottleneck.

Attackers can abuse a special type of SMS messages used by mobile operators to deliver internet settings to Android phones to launch credible phishing attacks that result in users’ internet traffic being hijacked. According to researchers from Check Point Software Technologies, some phone makers’ implementations of the Open Mobile Alliance Client Provisioning (OMA CP) standard allows anyone to send special provisioning messages to other mobile users with a $10 GSM modem and off-the-shelf software.

A baseband management controller (BMC) is an independent microcontroller present on server motherboards that allows out-of-band management of those servers. BMCs are like small computers with their own specialized firmware that run inside, but independently of the main computer -- the server itself. The BMC software is typically unique for every server manufacturer, and it presents a management interface that gives administrators full control over the server and its operating system.

The level of access that BMC interfaces provide make them highly powerful, which is why the security of BMC implementations has been scrutinized for years, and researchers have found various types of vulnerabilities affecting servers from different manufacturers.

Microsoft has identified and patched several vulnerabilities in the Windows Remote Desktop Services (RDS) component -- formerly known as Terminal Services -- which is widely used in corporate environments to remotely manage Windows machines. Some of the vulnerabilities can be exploited without authentication to achieve remote code execution and full system compromise, making them highly dangerous for enterprise networks if left unfixed.

All the flaws have been discovered internally by Microsoft during hardening of the RDS component, so no public exploits are available at this time. However, Microsoft researcher Justin Campbell said on Twitter that his team “successfully built a full exploit chain using some of these, so it's likely someone else will as well.”

Security researchers found a remotely exploitable critical vulnerability in a building management system used by businesses, hospitals, factories and other organizations to control things like ventilation, temperature, humidity, air pressure, lighting, secure doors and more. The vendor has released a firmware update, but hundreds of these systems are still exposed on the internet, highlighting the risks of remote management for ICS devices.

The vulnerability, tracked as CVE-2019-9569, was discovered by researchers from security firm McAfee and affects enteliBUS Manager (eBMGR), a control system that can be used to manage different I/O switches connected to things like sensors, alarms, motors, locks, valves and other industrial equipment. The system can also serve as a router for linking multiple Building Automation Control Network (BACnet) segments.

Security researchers have found a critical remote code execution vulnerability in popular models of enterprise VoIP desk phones made by Avaya. The flaw allows hackers to gain full control of the devices, listen in on calls and even turn the phone into a spying device.

Security researchers have found a new way to abuse the speculative execution mechanism of modern CPUs to break security boundaries and leak the contents of kernel memory. The new technique abuses a system instruction called SWAPGS and can bypass mitigations put in place for previous speculative execution vulnerabilities like Spectre.

The vulnerability was discovered by researchers from security firm Bitdefender and was reported to Intel almost a year ago. Since then, it has followed a lengthy coordination process that also involved Microsoft, which released mitigations during last month’s Patch Tuesday.

Researchers have found 11 serious vulnerabilities in VxWorks, the world's most popular real-time operating system (RTOS) that powers over 2 billion devices including enterprise network firewalls and routers, industrial controllers and medical equipment. Many of the flaws allow attackers to take over devices remotely by just sending network packets, which make them particularly dangerous.

Researchers from IoT security firm Armis, who found the vulnerabilities, dubbed them URGENT/11 due to their widespread impact. The flaws are located in the operating system's TCP/IP stack, a core component that handles network communications, and six of them can result in remote code execution (RCE).

Since 1997, the Black Hat and DEF CON events have gained a reputation for presenting some of the most cutting-edge research in information security. The events have also had their share of controversy – sometimes enough to cause last-minute cancelations. For example, Chris Paget was forced to cancel his Black Hat RFID for Beginners talk in 2007 under threat of litigation from secure card maker HID Corp.

Many organizations are moving away from using the network perimeter as a trust indicator when building and enforcing access policies for apps and other IT resources. An increasing number of enterprises have started implementing authentication solutions that perform user identity verification and device security checks for every access attempt regardless of user location, and data shows they are increasingly favoring biometrics-type authentication.

The OpenSSH project has received a patch that prevents private keys from being stolen through hardware vulnerabilities that allow hackers to access restricted memory regions from unprivileged processes. The same approach could be used by other software application to protect their secrets in RAM until the issues are fixed in future generations of SDRAM chips and CPUs.

The patch comes after a team of researchers recently presented an attack dubbed RAMBleed that exploits the design of modern memory modules in to extract information from memory regions allocated to privileged processes and the kernel.

MongoDB has released a new version today featuring field-level encryption (FLE), a new mechanism that protects sensitive information stored in a database even if attackers compromise the database itself or the server it runs on.

MongoDB 4.2’s FLE implementation does not involve storing keys or performing any encryption and decryption operations on the server. Instead, these operations are performed by the MongoDB client library, also known as the driver, which is used by applications.

Researchers have devised a new attack that allows unprivileged code running on computers to steal secrets, such as cryptographic keys, that are stored in what should be protected memory regions. The attack is possible because of a known design issue with modern DRAM chips that has been exploited in the past to modify protected data.

Dubbed RAMBleed, the new attack is the work of researchers Andrew Kwong and Daniel Genkin from the University of Michigan, Daniel Gruss from the Graz University of Technology and Yuval Yarom from University of Adelaide and Data61. Using the new technique, the researchers were able to extract an RSA 2048-bit signing key from an OpenSSH server using code running with user-level privileges.

]]>https://www.itworld.com/article/3402556/rowhammer-variant-rambleed-allows-attackers-to-steal-secrets-from-ram.html
From phish to network compromise in two hours: How Carbanak operatesThu, 06 Jun 2019 08:40:00 -0700Lucian ConstantinLucian ConstantinCybercriminal group Carbanak has stolen hundreds of millions of dollars from financial institutions. Here's a detailed analysis by Bitdefender of an attack on one bank.https://www.csoonline.com/article/3400861/from-phish-to-network-compromise-in-two-hours-how-carbanak-operates.html
Phishing attacks that bypass 2-factor authentication are now easier to executeMon, 03 Jun 2019 09:00:00 -0700Lucian ConstantinLucian ConstantinResearchers released two tools--Muraen and NecroBrowser--that automate phishing attacks that can bypass 2FA. Most defenses won't stop them.(Insider Story)https://www.csoonline.com/article/3399858/phishing-attacks-that-bypass-2-factor-authentication-are-now-easier-to-execute.html
IDG Insider